All Ledger wallets have a bug that lets hackers steal your cryptocurrency

Cryptocurrency enthusiasts who rely on Ledger hardware wallets to keep their coins safe ought to exercise extreme caution when sending funds: sticky-fingered hackers might be out to re-route your digital cheddar away from your intended recipient and straight to their own wallets instead.

The company has taken to Twitter to remind users to “always verify [their] receiv[ing] address” on their devices’ screen manually by using the “monitor screen” button at the bottom of each transaction request form.

Referring to a recent vulnerability report from DocDroid, Ledger acknowledged that its hardware wallets suffers from a flaw that makes it possible for attackers to infect it with malware, designed to trick you into sending your cryptocurrency to the hackers.

To mitigate the man in the middle attack vector reported here https://t.co/GFFVUOmlkk (affecting all hardware wallet vendors), always verify your receive address on the device’s screen by clicking on the “monitor button” pic.twitter.com/EMjZJu2NDh

“Ledger wallets generate the displayed receive address using JavaScript code running on the host machine,” the report reads. “This means that a malware can simply replace the code responsible for generating the receive address with its own address, causing all future deposits to be sent to the attacker.”

What is even worse is that – due to Ledger’s design which requires new addresses be generated consistently – users have no viable options to “verify the integrity of the receive address.” This could dupe users into thinking the displayed receiving address is indeed authentic, while this might not at all be the case.

The DocDroid report further indicates that all Ledger software could be exploited and modified by even unprivileged malware, which means attackers could abuse its system without any need to gain administrative rights.

The wallets also have no implementation in place to check for integrity and ensure anti-tampering. Indeed, the report claims Ledger wallets are so poorly designed that pre-infected devices could exploit users’ first-ever transaction to jack their crypto.

DocDroid disclosed the vulnerability to the Ledger a month ago, but its team preferred to fix the flaw by raising awareness about it – instead making changes to its code and interface.

Responding to annoyed customers on Twitter, Ledger said that the issue “cannot be solved in the absolute.”

“A malware can always change what you see on your computer screen,” the company wrote. “The only solution is prevention and building an UX to make the user check on its device. On device verification feature has been added [six] month ago already.”

So next time you’re making a transaction with your Ledger wallet, better take your time to make sure everything is in check: you might be risking getting all of your coins jacked.

Update: Ledger has detailed the vulnerability at length at their official blog.

Related Articles

ShareTweetIt’s become impossible to ignore cryptocurrency and blockchain — it’s everywhere, and there is no sign of slowing down. As a result, blockchain-based exchanges of information and tokens are releasing a wave of new possibilities for entrepreneurs. The rush to create innovative business solutions that are faster, more secure and more transparent is on. Blockchain […]

ShareTweet Bitcoin. Bitcoin. Bitcoin. Unless you’ve been hiding under a rock for the last few years, you will have heard at least someone in your network of friends and family mention this thing called Bitcoin. This post is not intended to explain what this goliath, revolutionary cryptocurrency is. No, no, no. We will assume you […]

ShareTweetFootball is known by the world community as a popular sport. This makes football sport a promising field of business in terms of revenue such as advertising, ticket matches to jersey sales. What happens if Blockchain technology is applied to the sports industry that is football? What impact will be given from the use of […]